Examice

Exam CAS-004 All QuestionsBrowse all questions from this exam

Question 390

A security analyst is reviewing the data portion acquired from the following command:

tcpdump -lnvi icmp and src net 192.168.1.0/24 and dst net 0.0.0.0/0 -w output.pcap

The data portion of the packet capture shows the following:

The analyst suspects that a data exfiltration attack is occurring using a pattern in which the last five digits are encoding sensitive information. Which of the following technologies and associated rules should the analyst implement to stop this specific attack? (Choose two.)

Intrusion prevention system

Data loss prevention

sed -e 's/a-z.*0-9.*//g'

reject icmp any any <> any any (msg:"alert"; regex [a-z]{26}[0-9]{5})

Second-generation firewall

drop icmp from 192.168.1.0/24 to 0.0.0.0/0

Correct Answer: A, D

To effectively stop the specific data exfiltration attack described, the analyst should implement an Intrusion Prevention System (IPS) and use a rule that matches the specific data pattern observed in the ICMP traffic. An IPS is designed to inspect network traffic in real-time and block malicious activities based on predefined rules. The rule provided, which matches a sequence of 26 lowercase letters followed by 5 digits (regex [a-z]{26}[0-9]{5}), is precise and aims to detect the pattern used in this attack. Employing both the IPS and the rule ensures that the specific data exfiltration attempt is identified and stopped.

Discussion

041ba31Options: AD

The best solutions to implement to stop this specific attack are: A. Intrusion prevention system: An IPS can be configured to detect and block suspicious patterns of data, such as the specific exfiltration pattern identified here. D. reject icmp any any <> any any (msg:"alert"; regex [a-z]{26}[0-9]{5}): This rule uses a regular expression to match the pattern of 26 lowercase letters followed by 5 digits, which can be used to detect and reject packets containing the suspected encoded sensitive information.

wizwizOptions: AD

The regex expression is a exact match!

talosDevbotOptions: AD

D is Snort rule with a regex expression that will prevent this attack While B is a viable answer, A is a better answer since it compliments D (Snort is an IPS)

Potato42Options: BD

It's B and D: B is obvious and I think everyone can agree that a DLP would be ideal in such scenarios. The only dilemma is between A (IPS) and D, which is a very accurate Regex pattern that rejects any ICMP traffic between any sources and destinations that contain a specific pattern: 26 consecutive lowercase letters followed by 5 consecutive digits. This pattern already implies that there is an IPS in place, so it's more accurate than selecting A.

MacherGamingOptions: AD

AD: D - A SNORT rule rejecting from any ip/port to any ip/port, either outbound or inbound ('<>') matching the RegEx. A - SNORT rules are not applied on a DLP, they are applied to NIPS.

gpt_testOptions: BD

B. Data loss prevention Brief Explanation: DLP systems can be configured to recognize and prevent the transfer of sensitive information based on patterns, like the last five digits in this scenario. D. Reject icmp any any <> any (msg:"alert"; regex: [a-z]{26}[0-9]{5}) Brief Explanation: This rule is written for a network-based intrusion prevention system (IPS). It uses a regular expression to match the pattern of 26 letters followed by 5 digits, which corresponds to the suspected data exfiltration pattern.

armid

and where do you configure D. if you already dont have A. A is a prerequisite to D. Also implementing A and D will already drop packets like this, making DLP redundant

ElDirecOptions: AD

A & D because it requires a technology along with a rule to be applied while using it. THe only rule I see is the one for an IPS. DLP would be good, but I don't see a rule that can be applied along with option B

Delab202Options: BD

To mitigate the data exfiltration attack, the analyst could implement Data Loss Prevention (DLP) technology with rules specifically targeting patterns involving the last five digits, preventing sensitive information from being encoded or leaked.

OdinAtlasSteelOptions: BD

B. Data loss prevention (DLP): DLP solutions are designed to identify, monitor, and protect sensitive data to prevent unauthorized access or transmission. By implementing DLP policies that specifically target and inspect traffic for patterns resembling the suspected data exfiltration (e.g., identifying the sensitive information format in the last five digits), the DLP system can block or alert on such transmissions. D. Intrusion prevention system (IPS): IPS solutions can be configured with rules and signatures to detect and prevent suspicious or malicious network activity. A custom signature or rule can be created within the IPS that specifically looks for the suspected pattern observed in the data portion of the captured packets. For instance, a signature similar to the provided regex pattern [a-z]{26}[0-9]{5} might be employed within the IPS to detect this specific data exfiltration attempt.

BadgerTester

the IPS is A, not D. Did you mean A?

OdinAtlasSteel

Sorry for the confusion. I think that you need to use the regex command to create a DLP rule. IPS is not correct. The question asks which technology and associated rule you should implement. The correct answers are B. DLP and D. (regex rule)

OdinAtlasSteel

In the context of the scenario where a specific pattern ("abcdefghijklmnopqrstuvwxyz[5 digits]") is suspected to be involved in the data exfiltration, a DLP solution can be configured with a rule using regex matching to actively monitor and prevent the transmission of this suspected sensitive information. DLP solutions offer a more targeted approach toward identifying and stopping data leakage based on specific data patterns. While an Intrusion Prevention System (IPS) is valuable in general network security for detecting and preventing various threats, including specific patterns in network traffic, a DLP solution is specifically tailored for identifying and preventing data leakage, making it more suitable for addressing the suspected data exfiltration attack based on the provided pattern.

biggytechOptions: AB

Answer is AB since D does not exactly match what is being exfiltrated. If D was correct then it should be AD based on the context of the question asking for a specific rule

23169fdOptions: AD

A. Intrusion Prevention System (IPS) Implement an IPS with a custom rule to detect and block the specific pattern in the data payload. The rule could use a regex pattern to match the last five digits. D. reject icmp any any <> any any (msg:"alert"; regex [a-z]{26}[0-9]{5}) This Snort rule (or a similar rule in another IPS) can detect ICMP packets with a specific pattern where 26 alphabetic characters are followed by 5 numeric digits. This rule will help in identifying and blocking the suspicious data exfiltration pattern. Justification:

saucehozzOptions: AB

Maybe I'm overthinking this, but a Combo of A and B works well in this scenario: A) Configure DLP to identify and block the encoded data with the five-digit pattern from being transferred, regardless of protocol. B) Create an IPS rule to identify and block ICMP packets with a payload of 31 bytes (26 alpha and five numeric patterns) from the internal network.

MacherGaming

You are underthinking this... The question is looking for a technology and a rule. AB is listing two technologies.